From ac66ede6773b67f667bb0f8cd2e1b0d962b33b0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 19 Jun 2019 17:46:53 +0200 Subject: [PATCH 01/38] Handle Ubuntu >= 18 --- apt/tasks/main.yml | 4 ++-- evolinux-base/tasks/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b02e779f..a57a33bd 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -2,9 +2,9 @@ - name: "Compatibility check" fail: - msg: only compatible with Debian >= 8 + msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04 when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - (ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')) and (ansible_distribution != "Ubuntu" or ansible_distribution_major_version | version_compare('18', '<')) tags: - apt diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index ff0213a8..6d0a0f9b 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -3,9 +3,9 @@ - name: "System compatibility checks" assert: that: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '>=') - msg: only compatible with Debian >= 8 + - (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu") + - (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>=')) + msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04 - name: Apt configuration include_role: -- 2.39.2 From 682191889fc64c2ec9f0e6fbedd68f1ca8add07d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jun 2019 09:57:44 +0200 Subject: [PATCH 02/38] apt: Ubuntu bionic sources list Closes #55 --- apt/templates/bionic_basics.list.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 apt/templates/bionic_basics.list.j2 diff --git a/apt/templates/bionic_basics.list.j2 b/apt/templates/bionic_basics.list.j2 new file mode 100644 index 00000000..bd3e9d9c --- /dev/null +++ b/apt/templates/bionic_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://archive.ubuntu.com/ubuntu/ bionic {{ apt_basics_components | mandatory }} +deb http://archive.ubuntu.com/ubuntu/ bionic-updates {{ apt_basics_components | mandatory }} +deb http://security.ubuntu.com/ubuntu bionic-security {{ apt_basics_components | mandatory }} -- 2.39.2 From b459eab77a5104d7b7c1a28d27691f045d9d77d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jun 2019 10:04:10 +0200 Subject: [PATCH 03/38] apt: Install evolix public repo only for Debian Closes #56 --- apt/tasks/evolix_public.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index ba0a0da6..dc80a1b4 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -13,7 +13,7 @@ #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D data: "{{ lookup('file', 'reg.gpg') }}" -- name: Evolix public list is installed +- name: Evolix public list is installed (only for Debian) template: src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list @@ -22,6 +22,7 @@ register: apt_evolix_public tags: - apt + when: ansible_distribution == "Debian" - name: Apt update apt: -- 2.39.2 From bd821b7a06d0c768703ec625ae10b8386202f71f Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 18 Jun 2019 17:45:15 +0200 Subject: [PATCH 04/38] Fix condition check mistakes in templates --- webapps/evoadmin-web/templates/web-add.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-web/templates/web-add.conf.j2 b/webapps/evoadmin-web/templates/web-add.conf.j2 index b3362fbe..4bc41ad8 100644 --- a/webapps/evoadmin-web/templates/web-add.conf.j2 +++ b/webapps/evoadmin-web/templates/web-add.conf.j2 @@ -1,5 +1,5 @@ CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" -{% if evoadmin_multi_php == "True" %} +{% if evoadmin_multi_php == True %} PHP_VERSIONS=(56 70 73) {% endif %} -- 2.39.2 From 99e8e74db8137d52341cbe0a6ebd0978de61efda Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 18 Jun 2019 18:19:45 +0200 Subject: [PATCH 05/38] Add lxc-php README file --- lxc-php/README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 lxc-php/README.md diff --git a/lxc-php/README.md b/lxc-php/README.md new file mode 100644 index 00000000..bb7475d9 --- /dev/null +++ b/lxc-php/README.md @@ -0,0 +1,23 @@ +# lxc-php + +Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian. + +*note : this role depend on the lxc role.* + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +As this role depend on the lxc role, please refer to it for a variable exhaustive list. + +Here is the list of available variables for the PHP part: + +* `php_conf_short_open_tag` Default: `"Off"` +* `php_conf_expose_php` Default: `"Off"` +* `php_conf_display_errors` Default: `"Off"` +* `php_conf_log_errors` Default: `"On"` +* `php_conf_html_errors` Default: `"Off"` +* `php_conf_allow_url_fopen` Default: `"Off"` +* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"` -- 2.39.2 From 74adcb08e8a502a5bfd1df64cd29179a309aa730 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Wed, 19 Jun 2019 17:59:42 +0200 Subject: [PATCH 06/38] Add restart apache2 handler --- webapps/evoadmin-web/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webapps/evoadmin-web/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml index edb3404e..669b0553 100644 --- a/webapps/evoadmin-web/handlers/main.yml +++ b/webapps/evoadmin-web/handlers/main.yml @@ -5,5 +5,10 @@ name: apache2 state: reloaded +- name: restart apache2 + service: + name: apache2 + state: restarted + - name: newaliases command: newaliases -- 2.39.2 From 8918f0ecec3b23d7b6cf6e4ce0fc5c39f7133475 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Wed, 19 Jun 2019 18:00:19 +0200 Subject: [PATCH 07/38] Add proxy_fcgi activation for multi php --- webapps/evoadmin-web/tasks/web.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 23b35204..d9be3b6e 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -46,3 +46,10 @@ owner: evoadmin group: evoadmin force: no + +- name: Enable proxy_fcgi + apache2_module: + state: present + name: proxy_fcgi + notify: restart apache2 + when: evoadmin_multi_php == True -- 2.39.2 From 124af46b7fda79189c992b774ee6a21c5620f089 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jun 2019 15:12:00 +0200 Subject: [PATCH 08/38] Revert "evolinux-base: install "spectre-meltdown-checker" (Debian 9 and later)" This reverts commit 65414d8ae748de19c9bcb7df79518f4ac0ba7481. --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98a91bd9..dce1ae48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ The **patch** part changes incrementally at each release. * apache: add server status suffix in VHost (and default site) if missing * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock -* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later) * evomaintenance: make hooks configurable * nginx: add server status suffix in VHost (and default site) if missing * redmine: enable gzip compression in nginx vhost -- 2.39.2 From 02e50580e2d44520f2068aa4e40147ee41e2197c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Jun 2019 17:29:23 +0200 Subject: [PATCH 09/38] apache: add a variable to customize the server-status host --- CHANGELOG.md | 1 + apache/defaults/main.yml | 2 ++ apache/tasks/server_status.yml | 5 +++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dce1ae48..560dc89d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added * apache: add server status suffix in VHost (and default site) if missing +* apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock * evomaintenance: make hooks configurable diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index ffc74b4e..15ff1a53 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -19,3 +19,5 @@ apache_munin_include: True general_alert_email: "root@localhost" log2mail_alert_email: Null + +apache_serverstatus_host: 127.0.0.1 diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 6497966b..1d6cd8df 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -62,7 +62,8 @@ - name: apache-status URL is configured for Munin lineinfile: dest: /etc/munin/plugin-conf.d/munin-node - line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto" - regexp: "env.url http://127.0.0.1/server-status" + line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" + regexp: 'env.url http://[^\\/]+/server-status' insertafter: "[apache_*]" create: no + notify: restart munin-node -- 2.39.2 From 5bca101457e67652dc6eaf42aae183b7c7a75f1b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 09:42:02 +0200 Subject: [PATCH 10/38] evocheck : update from upstream --- CHANGELOG.md | 3 ++- evocheck/files/evocheck.sh | 48 ++++++++++++++++++++++++++------------ 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 560dc89d..8f12bf19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,12 +15,13 @@ The **patch** part changes incrementally at each release. * apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock +* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later) * evomaintenance: make hooks configurable * nginx: add server status suffix in VHost (and default site) if missing * redmine: enable gzip compression in nginx vhost ### Changed -* evocheck : version 19.04 from upstream +* evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert * rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 * redmine: update default version to 4.0.3 diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6e9985f2..9fba8154 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -315,7 +315,7 @@ check_nrpeperms() { } check_minifwperms() { if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%a" $MINIFW_FILE) + actual=$(stat --format "%a" "$MINIFW_FILE") expected="600" test "$expected" = "$actual" || failed "IS_MINIFWPERMS" fi @@ -386,7 +386,7 @@ check_raidsoft() { } # Verification du LogFormat de AWStats check_awstatslogformat() { - if is_installed apache2.2-common awstats; then + if is_installed apache2 awstats; then grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ || failed "IS_AWSTATSLOGFORMAT" fi @@ -531,20 +531,30 @@ check_userlogrotate() { } # Verification de la syntaxe de la conf d'Apache check_apachectl() { - if is_installed apache2.2-common; then + if is_installed apache2; then /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" fi } # Check if there is regular files in Apache sites-enabled. check_apachesymlink() { - if is_installed apache2.2-common; then - stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi fi } # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). check_apacheipinallow() { # Note: Replace "exit 1" by "print" in Perl code to debug it. - if is_installed apache2.2-common; then + if is_installed apache2; then grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ | grep -iv "from all" \ | grep -iv "env=" \ @@ -559,7 +569,7 @@ check_muninapacheconf() { else muninconf="/etc/apache2/conf-available/munin.conf" fi - if is_installed apache2.2-common; then + if is_installed apache2; then test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" fi } @@ -881,12 +891,19 @@ check_mysqlmunin() { } check_mysqlnrpe() { if is_debian_stretch && is_installed mariadb-server; then - nagios_file="~nagios/.my.cnf" - { test -f $nagios_file \ - && [ "$(stat -c %U $nagios_file)" = "nagios" ] \ - && [ "$(stat -c %a $nagios_file)" = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; - } || failed "IS_MYSQLNRPE" + nagios_home=$(getent passwd "nagios" | cut -d: -f6) + nagios_file_abs="${nagios_home}/.my.cnf" + nagios_file_sym="~nagios/.my.cnf" + + if ! test -f $nagios_file_abs; then + failed "IS_MYSQLNRPE" "$nagios_file_abs is missing" + elif [ "$(stat -c %U $nagios_file_abs)" != "nagios" ] \ + || [ "$(stat -c %a $nagios_file_abs)" != "600" ]; then + failed "IS_MYSQLNRPE" "$nagios_file_abs has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file_sym" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi } check_phpevolinuxconf() { @@ -1102,7 +1119,7 @@ check_evobackup_incs() { if is_installed bkctld; then bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} if [ -f "${bkctld_cron_file}" ]; then - root_crontab=$(grep -v "^#" ${bkctld_cron_file}) + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" else @@ -1158,7 +1175,7 @@ main() { test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers - test "${IS_DISKPERF:=1}" = 1 && check_diskperf + test "${IS_DISKPERF:=0}" = 1 && check_diskperf test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw @@ -1396,4 +1413,5 @@ while :; do shift done +# shellcheck disable=SC2086 main ${ARGS} -- 2.39.2 From aec0ecea995e444193ea6711e5b9e6d4483ac122 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:18:54 +0200 Subject: [PATCH 11/38] tags and whitespaces --- apt/tasks/backports.yml | 12 +++++++----- apt/tasks/basics.yml | 12 +++++++----- apt/tasks/config.yml | 22 ++++++++++++++++------ apt/tasks/evolix_public.yml | 6 ++++-- apt/tasks/hold_packages.yml | 14 ++++++++++++++ apt/tasks/main.yml | 12 ++++++------ 6 files changed, 54 insertions(+), 24 deletions(-) diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 02e189a3..97f5aede 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -5,7 +5,7 @@ regexp: "backports" state: absent tags: - - apt + - apt - name: Backports sources list is installed template: @@ -15,7 +15,7 @@ mode: "0640" register: apt_backports_list tags: - - apt + - apt - name: Backports configuration copy: @@ -25,7 +25,7 @@ mode: "0640" register: apt_backports_config tags: - - apt + - apt - name: Archived backport are accepted (jessie) lineinfile: @@ -33,11 +33,13 @@ line: 'Acquire::Check-Valid-Until no;' create: yes state: present - when: ansible_lsb.codename == "jessie" + when: ansible_distribution_release == "jessie" + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_backports_list | changed or apt_backports_config | changed tags: - - apt + - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index edd3ea0c..9f792a7f 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -8,21 +8,23 @@ force: yes register: apt_basic_list tags: - - apt + - apt - name: Clean GANDI sources.list.d/debian-security.list file: path: '{{ item }}' state: absent with_items: - - /etc/apt/sources.list.d/debian-security.list - - /etc/apt/sources.list.d/debian-stretch.list - - /etc/apt/sources.list.d/debian-update.list + - /etc/apt/sources.list.d/debian-security.list + - /etc/apt/sources.list.d/debian-stretch.list + - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_basic_list | changed tags: - - apt + - apt diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 264e8dd7..988aac7a 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -9,9 +9,11 @@ state: present mode: "0640" with_items: - - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } + - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } when: apt_evolinux_config + tags: + - apt - name: DPkg invoke hooks lineinfile: @@ -21,24 +23,32 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" + - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: apt_hooks + tags: + - apt - name: Remove Aptitude apt: name: aptitude state: absent when: apt_remove_aptitude + tags: + - apt - name: Updating APT cache apt: update_cache: yes changed_when: False + tags: + - apt - name: Upgrading system apt: upgrade: dist when: apt_upgrade + tags: + - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index dc80a1b4..ed6f98e2 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -12,6 +12,8 @@ apt_key: #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D data: "{{ lookup('file', 'reg.gpg') }}" + tags: + - apt - name: Evolix public list is installed (only for Debian) template: @@ -21,7 +23,7 @@ mode: "0640" register: apt_evolix_public tags: - - apt + - apt when: ansible_distribution == "Debian" - name: Apt update @@ -29,4 +31,4 @@ update_cache: yes when: apt_evolix_public | changed tags: - - apt + - apt diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 0939335b..b44a1581 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -5,6 +5,8 @@ register: apt_mark changed_when: "'{{ item }} set on hold.' in apt_mark.stdout" with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "hold packages (config)" lineinfile: @@ -13,12 +15,16 @@ create: True state: present with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "unhold packages (apt)" shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}" register: apt_mark changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout" with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: "unhold packages (config)" lineinfile: @@ -27,6 +33,8 @@ create: True state: absent with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: /usr/share/scripts exists file: @@ -35,6 +43,8 @@ owner: root group: root state: directory + tags: + - apt - name: Check scripts is installed copy: @@ -42,6 +52,8 @@ dest: /usr/share/scripts/check_held_packages.sh force: yes mode: "0755" + tags: + - apt - name: Check for held packages (script) cron: @@ -55,3 +67,5 @@ day: "{{ apt_check_hold_cron_day }}" month: "{{ apt_check_hold_cron_month }}" state: "present" + tags: + - apt diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index a57a33bd..cf84ca22 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -6,34 +6,34 @@ when: - (ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')) and (ansible_distribution != "Ubuntu" or ansible_distribution_major_version | version_compare('18', '<')) tags: - - apt + - apt - name: Custom configuration include: config.yml when: apt_config tags: - - apt + - apt - name: Install basics repositories include: basics.yml when: apt_install_basics tags: - - apt + - apt - name: Install APT Backports repository include: backports.yml when: apt_install_backports tags: - - apt + - apt - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public tags: - - apt + - apt - name: Install check for packages marked hold include: hold_packages.yml when: apt_install_hold_packages tags: - - apt + - apt -- 2.39.2 From 08c5d8d427aaa823723c14e08642b5a3db62fcb5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:29:18 +0200 Subject: [PATCH 12/38] fluentd: store gpg key locally --- CHANGELOG.md | 1 + fluentd/files/fluentd.gpg | 53 +++++++++++++++++++++++++++++++++++++++ fluentd/tasks/main.yml | 3 ++- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 fluentd/files/fluentd.gpg diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f12bf19..b64b465b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. ### Changed * evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert +* fluentd: store gpg key locally * rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 * redmine: update default version to 4.0.3 * nagios-nrpe: change required status code for http and https check diff --git a/fluentd/files/fluentd.gpg b/fluentd/files/fluentd.gpg new file mode 100644 index 00000000..7a998316 --- /dev/null +++ b/fluentd/files/fluentd.gpg @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C +nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi +GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ +utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP +pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J +tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A +Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy +tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru +owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw +MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3 +jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB +tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp +Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF +AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA +nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/ +xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp +jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a +iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa +wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e +WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe +cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru +3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57 +zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE +12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92 +fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu +RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo +uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW +iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd +gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq +hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS +EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU +Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ +WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX +h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG ++xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs +A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC +GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S +zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF +J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ +h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK +yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD +kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C +eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+ +pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d +GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I +ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g +pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G +5Ow= +=Me4L +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index cad4f17e..30a4f0bf 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -2,7 +2,8 @@ - name: Fluentd GPG key is installed apt_key: - url: https://packages.treasuredata.com/GPG-KEY-td-agent + # url: https://packages.treasuredata.com/GPG-KEY-td-agent + data: "{{ lookup('file', 'fluentd.gpg') }}" tags: - packages - fluentd -- 2.39.2 From bd3c864ba47860e70a7acc6a934ae34ee236988f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:36:32 +0200 Subject: [PATCH 13/38] whitespaces and syntax --- lxc/tasks/main.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index c606a02c..11d267c5 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -3,9 +3,9 @@ apt: name: '{{ item }}' with_items: - - lxc - - debootstrap - - xz-utils + - lxc + - debootstrap + - xz-utils - name: Copy LXC default containers configuration template: @@ -21,8 +21,13 @@ - name: Add subuid and subgid ranges to root command: usermod -v 100000-199999 -w 100000-109999 root - when: lxc_unprivilegied_containers and root_subuids.rc + when: + - lxc_unprivilegied_containers + - root_subuids.rc - name: Create containers - include: "create-container.yml name={{item.name}} release={{item.release}}" + include: create-container.yml + vars: + name: "{{ item.name }}" + release: "{{item.release}}" with_items: "{{lxc_containers}}" -- 2.39.2 From bf9f28dc9f91782234351a14cd8b12777f34659e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:43:20 +0200 Subject: [PATCH 14/38] rbenv: install Ruby 2.6.3 by default --- CHANGELOG.md | 2 +- rbenv/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b64b465b..7b7350c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ The **patch** part changes incrementally at each release. * evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert * fluentd: store gpg key locally -* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 +* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3 * redmine: update default version to 4.0.3 * nagios-nrpe: change required status code for http and https check * redmine: use custom errors-pages in Nginx vhost diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml index 2c0ecd28..533834cd 100644 --- a/rbenv/defaults/main.yml +++ b/rbenv/defaults/main.yml @@ -1,6 +1,6 @@ --- rbenv_version: v1.1.2 -rbenv_ruby_version: 2.5.5 +rbenv_ruby_version: 2.6.3 rbenv_root: "~/.rbenv" rbenv_repo: "https://github.com/rbenv/rbenv.git" rbenv_plugins: -- 2.39.2 From 98cf6446d7bcbe92d45907c64992ed82c70faaa5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 10:46:08 +0200 Subject: [PATCH 15/38] Release 9.10.0 --- CHANGELOG.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b7350c4..bf20de3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.10.0] - 2019-06-21 + ### Added * apache: add server status suffix in VHost (and default site) if missing * apache: add a variable to customize the server-status host @@ -41,8 +51,6 @@ The **patch** part changes incrementally at each release. * evolinux-users: Validate sshd config with "-t" instead of "-T" * nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-* -### Security - ## [9.9.0] - 2019-04-16 ### Added -- 2.39.2 From e27fb3cee7dbcd0aa119a46c162d2e6d04c2a41c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 14:35:59 +0200 Subject: [PATCH 16/38] evocheck : update (version 19.06) from upstream --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 29 ++++++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf20de3e..83d13b6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added ### Changed +* evocheck : update (version 19.06) from upstream ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 9fba8154..857b7919 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -891,17 +891,15 @@ check_mysqlmunin() { } check_mysqlnrpe() { if is_debian_stretch && is_installed mariadb-server; then - nagios_home=$(getent passwd "nagios" | cut -d: -f6) - nagios_file_abs="${nagios_home}/.my.cnf" - nagios_file_sym="~nagios/.my.cnf" + nagios_file=~nagios/.my.cnf - if ! test -f $nagios_file_abs; then - failed "IS_MYSQLNRPE" "$nagios_file_abs is missing" - elif [ "$(stat -c %U $nagios_file_abs)" != "nagios" ] \ - || [ "$(stat -c %a $nagios_file_abs)" != "600" ]; then - failed "IS_MYSQLNRPE" "$nagios_file_abs has wrong permissions" + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" else - grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file_sym" /etc/nagios/nrpe.d/evolix.cfg \ + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ || failed "IS_MYSQLNRPE" "check_mysql is missing" fi fi @@ -1095,9 +1093,7 @@ check_evomaintenanceconf() { && grep "^FULLFROM" $f | grep -qv "John Doe " \ && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f | grep -qv "example.com" \ - && grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \ - && grep "^API_KEY" $f | grep -qv "secretkey"; + && grep "^REALM" $f | grep -qv "example.com" } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" else failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" @@ -1128,6 +1124,12 @@ check_evobackup_incs() { fi } +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + main() { # Default return code : 0 = no error RC=0 @@ -1248,6 +1250,7 @@ main() { test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober fi #----------------------------------------------------------- @@ -1360,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ -readonly VERSION="19.04" +readonly VERSION="19.06" # Disable LANG* export LANG=C -- 2.39.2 From b439aeb739bd1503b6a45ef509fa93e9fdd1294d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jun 2019 14:36:20 +0200 Subject: [PATCH 17/38] Release 9.10.1 --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83d13b6d..9472e665 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,12 +13,16 @@ The **patch** part changes incrementally at each release. ### Added ### Changed -* evocheck : update (version 19.06) from upstream ### Fixed ### Security +## [9.10.1] - 2019-06-21 + +### Changed +* evocheck : update (version 19.06) from upstream + ## [9.10.0] - 2019-06-21 ### Added -- 2.39.2 From eeffa69c9d5360f55bef84cff8d8ee3a6b27697b Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 26 Jun 2019 11:10:23 +0200 Subject: [PATCH 18/38] lxc-php: Don't remove the default pool - That's making PHP-FPM sad :( --- CHANGELOG.md | 1 + lxc-php/tasks/php.yml | 21 --------------------- 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9472e665..4f7ffaf8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. ### Changed ### Fixed +* lxc-php: Don't remove the default pool ### Security diff --git a/lxc-php/tasks/php.yml b/lxc-php/tasks/php.yml index 49cb8116..25b72ccd 100644 --- a/lxc-php/tasks/php.yml +++ b/lxc-php/tasks/php.yml @@ -46,27 +46,6 @@ command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip" when: name == 'php73' -- name: Remove default FPM 5.6 pool - file: - name: "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/pool.d/www.conf" - state: absent - notify: "Reload {{name}}-fpm" - when: name == 'php56' - -- name: Remove default FPM 7.0 pool - file: - name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/pool.d/www.conf" - state: absent - notify: "Reload {{name}}-fpm" - when: name == 'php70' - -- name: Remove default FPM 7.3 pool - file: - name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/pool.d/www.conf" - state: absent - notify: "Reload {{name}}-fpm" - when: name == 'php73' - - name: Copy evolinux PHP 5.6 configuration template: src: z-evolinux-defaults.ini.j2 -- 2.39.2 From 148a383cf1c51e15040eb34d5739f97dc4a76699 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Wed, 26 Jun 2019 18:12:39 +0200 Subject: [PATCH 19/38] Add install package percona-toolkit by default --- mysql/tasks/utils.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 74ebceef..ff8ad1bc 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -75,6 +75,18 @@ tags: - mysql +# Percona Toolkit + +- name: "Install percona-toolkit (Debian 9 or later)" + apt: + name: percona-toolkit + state: present + tags: + - packages + - percona-toolkit + - mysql + when: ansible_distribution_major_version | version_compare('9', '>=') + # automatic optimizations - include_role: -- 2.39.2 From af5573980dfc55733ff223aa91d633f40beb8b1f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jun 2019 17:35:28 +0200 Subject: [PATCH 20/38] change distribution release codename Ansible 2.2 is too old to know about buster. Let's use LSB for that. --- apt/tasks/backports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 97f5aede..0bdc82c7 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -33,7 +33,7 @@ line: 'Acquire::Check-Valid-Until no;' create: yes state: present - when: ansible_distribution_release == "jessie" + when: ansible_lsb.codename == "jessie" tags: - apt -- 2.39.2 From 5385db2b1617159406ac927d5f58c0648135d4c0 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Fri, 28 Jun 2019 14:18:20 -0400 Subject: [PATCH 21/38] Adds a task to directly install the serveur-base .deb in ubuntu This package is not available yet on ubuntu systems so we must install it directly alongside log2mail and evocheck. Fixes #57 --- evolinux-base/tasks/packages.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b4d9cee1..d7778fe7 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -80,11 +80,20 @@ - mlocate when: evolinux_packages_purge_locate -- name: Install/Update serveur-base meta-package +- name: Install/Update serveur-base meta-package on debian apt: name: serveur-base allow_unauthenticated: yes - when: evolinux_packages_serveur_base + when: evolinux_packages_serveur_base and (ansible_distribution == "Debian") + +- name: Install/Update serveur-base meta-package on ubuntu + apt: + deb: "{{ item }}" + with_items: + - 'http://pub.evolix.net/stretch/log2mail_0.3.0-2_amd64.deb' + - 'http://pub.evolix.net/stretch/evocheck_0.10-1_all.deb' + - 'http://pub.evolix.net/stretch/serveur-base_0.4.0_all.deb' + when: evolinux_packages_serveur_base and (ansible_distribution == "Ubuntu") - name: Install/Update packages for Stretch and later apt: -- 2.39.2 From 8d352f100eea329e16f6a09035f8e879113891b8 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 2 Jul 2019 16:07:05 -0400 Subject: [PATCH 22/38] Adds default http sites whitelist for ubuntu Ubuntu and Debian do not use the same apt sources. I created two new default variables (minifirewall_default_xxx_http_sites) that contain a list of the sites required for apt to work. I then removed the debian sites from the default file and added two new tasks to prepend the contents of these variables to HTTPSITES. fixes #65 --- minifirewall/defaults/main.yml | 10 ++++++++++ minifirewall/files/minifirewall.conf | 2 +- minifirewall/tasks/config.yml | 16 ++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 3f173962..6d12777a 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -37,6 +37,16 @@ minifirewall_smtp_ok: Null minifirewall_smtp_secure_ok: Null minifirewall_ntp_ok: Null +minifirewall_default_debian_http_sites: + - security.debian.org + - security-cdn.debian.org + - volatile.debian.org + - backports.debian.org + +minifirewall_default_ubuntu_http_sites: + - archive.ubuntu.com + - security.ubuntu.com + minifirewall_autostart: False minifirewall_restart_if_needed: True minifirewall_restart_force: False diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 85246940..4e0d00ca 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) -HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' +HTTPSITES='pub.evolix.net mirror.evolix.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' # HTTPS authorizations HTTPSSITES='0.0.0.0/0' diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 13cb6145..6a0d0483 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -114,6 +114,22 @@ create: no when: minifirewall_dns_servers is not none +- name: Configure HTTPSITES for debian + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + create: no + when: ansible_distribution == "Debian" + +- name: Configure HTTPSITES for ubuntu + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + create: no + when: ansible_distribution == "Ubuntu" + - name: Configure HTTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" -- 2.39.2 From ff9e1e80aa6a71f408d722f553d90c546be262e5 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 3 Jul 2019 08:56:07 -0400 Subject: [PATCH 23/38] Fix for minifirewall bug in 8d352f100eea329e16f6a09035f8e879113891b8 The default OS websites would override all the default http sites. I removed those default http sites from the file and put them in the minifirewall_http_sites list. Since this would override the list anyway, it doesnt change much, except that someone who doesnt want to use the OS default websites should also override the related variables (minifirewall_default_*_http_sites) fixes #65 --- minifirewall/defaults/main.yml | 13 ++++++++++++- minifirewall/files/minifirewall.conf | 2 +- minifirewall/tasks/config.yml | 19 +++++++++---------- 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 6d12777a..7defa14f 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -29,7 +29,18 @@ minifirewall_private_ports_udp: [] # Keep a null value to leave the setting as is # otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']" minifirewall_dns_servers: Null -minifirewall_http_sites: Null + +minifirewall_http_sites: + - pub.evolix.net + - mirror.evolix.org + - hwraid.le-vert.net + - antispam00.evolix.org + - spamassassin.apache.org + - sa-update.space-pro.be + - sa-update.secnap.net + - www.sa-update.pccc.com + - sa-update.dnswl.org + minifirewall_https_sites: Null minifirewall_ftp_sites: Null minifirewall_ssh_ok: Null diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 4e0d00ca..3de4f7f9 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) -HTTPSITES='pub.evolix.net mirror.evolix.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' +HTTPSITES='' # HTTPS authorizations HTTPSSITES='0.0.0.0/0' diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 6a0d0483..5d851cbc 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -114,10 +114,17 @@ create: no when: minifirewall_dns_servers is not none +- name: Configure HTTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + create: no + - name: Configure HTTPSITES for debian lineinfile: dest: "{{ minifirewall_main_file }}" - line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }}'" + line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }}' '{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" create: no when: ansible_distribution == "Debian" @@ -125,19 +132,11 @@ - name: Configure HTTPSITES for ubuntu lineinfile: dest: "{{ minifirewall_main_file }}" - line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }}'" + line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }}' '{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" create: no when: ansible_distribution == "Ubuntu" -- name: Configure HTTPSITES - lineinfile: - dest: "{{ minifirewall_main_file }}" - line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" - regexp: "HTTPSITES='.*'" - create: no - when: minifirewall_http_sites is not none - - name: Configure HTTPSSITES lineinfile: dest: "{{ minifirewall_main_file }}" -- 2.39.2 From cba87f594ca5ce35c109892945edb0ba09ff3cc0 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 3 Jul 2019 09:06:08 -0400 Subject: [PATCH 24/38] Fix mistake in join for minifirewall HTTPSITES There were extraneous quotes in the rendered string. fixes #65 --- minifirewall/tasks/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 5d851cbc..e19d53a0 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -124,7 +124,7 @@ - name: Configure HTTPSITES for debian lineinfile: dest: "{{ minifirewall_main_file }}" - line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }}' '{{ minifirewall_http_sites | join(' ') }}'" + line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" create: no when: ansible_distribution == "Debian" @@ -132,7 +132,7 @@ - name: Configure HTTPSITES for ubuntu lineinfile: dest: "{{ minifirewall_main_file }}" - line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }}' '{{ minifirewall_http_sites | join(' ') }}'" + line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" create: no when: ansible_distribution == "Ubuntu" -- 2.39.2 From efa7e44fe0e1b05de2aaeeb5deff7f29f0c0f7d3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jun 2019 15:12:00 +0200 Subject: [PATCH 25/38] Revert "evolinux-base: install "spectre-meltdown-checker" (Debian 9 and later)" This reverts commit 65414d8ae748de19c9bcb7df79518f4ac0ba7481. --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f7ffaf8..fee81e5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +* Ubuntu 18.04 support + ### Added ### Changed @@ -31,7 +33,6 @@ The **patch** part changes incrementally at each release. * apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock -* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later) * evomaintenance: make hooks configurable * nginx: add server status suffix in VHost (and default site) if missing * redmine: enable gzip compression in nginx vhost -- 2.39.2 From 6f07c77f1046cef6de615f6c35d5bcb910c01633 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 1 Jul 2019 17:17:25 +0200 Subject: [PATCH 26/38] elasticsearch: listen on local interface only by default --- CHANGELOG.md | 1 + elasticsearch/README.md | 2 +- elasticsearch/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fee81e5c..9f662180 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. ### Added ### Changed +* elasticsearch: listen on local interface only by default ### Fixed * lxc-php: Don't remove the default pool diff --git a/elasticsearch/README.md b/elasticsearch/README.md index e8184019..933beb0f 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` : * `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`). * `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`) -By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example. +By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host). ## Curator diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index f5693bf2..91e81915 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null elasticsearch_cluster_members: Null elasticsearch_minimum_master_nodes: Null elasticsearch_node_name: "${HOSTNAME}" -elasticsearch_network_host: "[_site_, _local_]" +elasticsearch_network_host: "[_local_]" elasticsearch_network_publish_host: Null elasticsearch_http_publish_host: Null elasticsearch_custom_datadir: Null -- 2.39.2 From eac096fd0bd6608501813c9bed4da02e6ac6ebc8 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 2 Jul 2019 18:11:54 +0200 Subject: [PATCH 27/38] Add lxc-solr role --- lxc-solr/README.md | 27 +++++++++++++++++++++++ lxc-solr/defaults/main.yml | 18 ++++++++++++++++ lxc-solr/tasks/main.yml | 8 +++++++ lxc-solr/tasks/solr.yml | 39 ++++++++++++++++++++++++++++++++++ lxc-solr/templates/rc.local.j2 | 3 +++ 5 files changed, 95 insertions(+) create mode 100644 lxc-solr/README.md create mode 100644 lxc-solr/defaults/main.yml create mode 100644 lxc-solr/tasks/main.yml create mode 100644 lxc-solr/tasks/solr.yml create mode 100644 lxc-solr/templates/rc.local.j2 diff --git a/lxc-solr/README.md b/lxc-solr/README.md new file mode 100644 index 00000000..6fb31c40 --- /dev/null +++ b/lxc-solr/README.md @@ -0,0 +1,27 @@ +# lxc-solr + +Create one or more LXC containers with Solr in the version of your choice. + +*note : this role depend on the lxc role.* + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Since this role depend on the lxc role, please refer to it for a full variable list related to the lxc containers setup. + +* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty). + * `name`: name of the LXC container to create. + * `release`: Debian version to install + * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)* + * `solr_port`: port for Solr to listen on + Eg.: + ``` + lxc_containers: + - name: solr8 + release: stretch + solr_version: 6.6.6 + solr_port: 8983 + ``` diff --git a/lxc-solr/defaults/main.yml b/lxc-solr/defaults/main.yml new file mode 100644 index 00000000..c6bbeda0 --- /dev/null +++ b/lxc-solr/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# List of LXC containers to create alongside with the version of Solr to install for each of them +# Eg.: +# lxc_containers: +# - name: solr6 +# release: stretch +# solr_version: 6.6.6 +# solr_port: 8983 +# - name: solr7 +# release: stretch +# solr_version: 7.7.2 +# solr_port: 8984 +# - name: solr8 +# release: stretch +# solr_version: 8.1.1 +# solr_port: 8985 +lxc_containers: [] + diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml new file mode 100644 index 00000000..e8a9e602 --- /dev/null +++ b/lxc-solr/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: LXC configuration + include_role: + name: lxc + +- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}" + with_items: + - "{{ lxc_containers }}" diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml new file mode 100644 index 00000000..4201ad65 --- /dev/null +++ b/lxc-solr/tasks/solr.yml @@ -0,0 +1,39 @@ +--- +- name: "Change default ulimit for container {{ name }}" + blockinfile: + dest: "/var/lib/lxc/{{ name }}/rootfs/root/.bashrc" + marker: "# {mark} set ulimit for Solr" + block: | + ulimit -n 65000 + ulimit -u 65000 + +- name: Install openjdk-8-jre-headless package + command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless" + +- name: "Download Solr {{ solr_version }}" + get_url: + url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz" + dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz" + mode: '0644' + +- name: "Extract solr-{{ solr_version }}.tgz" + unarchive: + src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + dest: /var/lib/lxc/{{ name }}/rootfs/opt/ + remote_src: yes + +- name: Set Solr autostart + template: + src: rc.local.j2 + dest: "/var/lib/lxc/{{ name }}//rootfs/etc/rc.local" + mode: "0755" + +- name: Check if Solr is running + command: "lxc-attach -n {{name}} -- /opt/solr-{{ solr_version }}/bin/solr status" + ignore_errors: yes + changed_when: false + register: service_solr_status + +- name: "Start Solr {{ solr_version }}" + command: "lxc-attach -n {{name}} -- /opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force" + when: service_solr_status | failed diff --git a/lxc-solr/templates/rc.local.j2 b/lxc-solr/templates/rc.local.j2 new file mode 100644 index 00000000..5a74a8b5 --- /dev/null +++ b/lxc-solr/templates/rc.local.j2 @@ -0,0 +1,3 @@ +#!/bin/bash +/opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force +exit 0 -- 2.39.2 From 4fa10237805fb52b506e3a94d579b628cd6a1817 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:22:46 +0200 Subject: [PATCH 28/38] Add a task to make sure the rootfs directory of each container has 755 rights --- lxc-solr/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml index e8a9e602..86ef2500 100644 --- a/lxc-solr/tasks/main.yml +++ b/lxc-solr/tasks/main.yml @@ -3,6 +3,14 @@ include_role: name: lxc +- name: Ensure containers root directory is 755 + file: + path: "/var/lib/lxc/{{ item.name }}/rootfs" + state: directory + mode: '0755' + with_items: + - "{{ lxc_containers }}" + - include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}" with_items: - "{{ lxc_containers }}" -- 2.39.2 From 92775ddc6ce9171f0960b37f27b7c784a9a2c40b Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:26:05 +0200 Subject: [PATCH 29/38] We don't want Solr to run as root! --- lxc-solr/tasks/solr.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 4201ad65..b8179ea0 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -1,12 +1,4 @@ --- -- name: "Change default ulimit for container {{ name }}" - blockinfile: - dest: "/var/lib/lxc/{{ name }}/rootfs/root/.bashrc" - marker: "# {mark} set ulimit for Solr" - block: | - ulimit -n 65000 - ulimit -u 65000 - - name: Install openjdk-8-jre-headless package command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless" @@ -34,6 +26,3 @@ changed_when: false register: service_solr_status -- name: "Start Solr {{ solr_version }}" - command: "lxc-attach -n {{name}} -- /opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force" - when: service_solr_status | failed -- 2.39.2 From eed3c01b6c3f3186307a3e479cc500825e4c8ec0 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:28:41 +0200 Subject: [PATCH 30/38] Solr recommends to install the lsof program to detect in a better way if it's running --- lxc-solr/tasks/solr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index b8179ea0..693cbcc8 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -1,6 +1,6 @@ --- -- name: Install openjdk-8-jre-headless package - command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless" +- name: Install openjdk-8-jre-headless and lsof packages + command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof" - name: "Download Solr {{ solr_version }}" get_url: -- 2.39.2 From c63bb0c49cda29b2875adbd9e129e7cf8f6b09ad Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:31:57 +0200 Subject: [PATCH 31/38] We want Solr to be extracted in /root to let the install_solr_service.sh script install it is own way --- lxc-solr/tasks/solr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 693cbcc8..220a0e2f 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -11,7 +11,7 @@ - name: "Extract solr-{{ solr_version }}.tgz" unarchive: src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz - dest: /var/lib/lxc/{{ name }}/rootfs/opt/ + dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes - name: Set Solr autostart -- 2.39.2 From 72a387ade49554f9296e3ce691bd6db589682cdb Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:33:08 +0200 Subject: [PATCH 32/38] Let's use the install_solr_service.sh script to install Solr --- lxc-solr/tasks/solr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 220a0e2f..dd36af53 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -25,4 +25,6 @@ ignore_errors: yes changed_when: false register: service_solr_status +- name: "Install Solr {{ solr_version }}" + command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz" -- 2.39.2 From 19962e2ac9c2af58c6798fab262127d050d3c8d1 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:34:39 +0200 Subject: [PATCH 33/38] We don't need these tasks anymore since we now have an init script --- lxc-solr/tasks/solr.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index dd36af53..3c8daeb6 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -14,17 +14,6 @@ dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes -- name: Set Solr autostart - template: - src: rc.local.j2 - dest: "/var/lib/lxc/{{ name }}//rootfs/etc/rc.local" - mode: "0755" - -- name: Check if Solr is running - command: "lxc-attach -n {{name}} -- /opt/solr-{{ solr_version }}/bin/solr status" - ignore_errors: yes - changed_when: false - register: service_solr_status - name: "Install Solr {{ solr_version }}" command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz" -- 2.39.2 From 6e64e6498f9e1eccdb8e36f040d88b4023fd2d2f Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:37:09 +0200 Subject: [PATCH 34/38] We want the Solr home directory to be moved in /home/solr/ --- lxc-solr/tasks/solr.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 3c8daeb6..00660b3e 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -17,3 +17,21 @@ - name: "Install Solr {{ solr_version }}" command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz" +- name: "Stop Solr" + command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop" + ignore_errors: True + +- name: "Make sure /home/solr exists" + file: + path: /home/solr + state: directory + mode: '0755' + +- name: "Move Solr data directory to /home/solr/{{name}}" + command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}" + +- name: "Create a symbolic link to /home/solr/{{name}}" + command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr" + +- name: "Start Solr" + command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" -- 2.39.2 From e1aee69c9d193265771fbbfb2f77a2047d5f221a Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 4 Jul 2019 12:37:53 +0200 Subject: [PATCH 35/38] We want Solr to run on an alternative port --- lxc-solr/tasks/solr.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 00660b3e..4cf521ae 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -33,5 +33,10 @@ - name: "Create a symbolic link to /home/solr/{{name}}" command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr" +- name: "Set Solr port to {{ solr_port }}" + lineinfile: + dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh + line: "SOLR_PORT={{ solr_port }}" + - name: "Start Solr" command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" -- 2.39.2 From 63d12e4dcfbeb806e1f6a6ed70e1bc6bf754147c Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jul 2019 20:01:09 -0400 Subject: [PATCH 36/38] Whitespace fix for minifirewall/defaults/main.yml --- minifirewall/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 7defa14f..e0ebd800 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -48,13 +48,13 @@ minifirewall_smtp_ok: Null minifirewall_smtp_secure_ok: Null minifirewall_ntp_ok: Null -minifirewall_default_debian_http_sites: +minifirewall_default_debian_http_sites: - security.debian.org - security-cdn.debian.org - volatile.debian.org - backports.debian.org -minifirewall_default_ubuntu_http_sites: +minifirewall_default_ubuntu_http_sites: - archive.ubuntu.com - security.ubuntu.com -- 2.39.2 From 9d8d0776d7deb674d3c6de2a6e4acafd135e2edd Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jul 2019 20:02:24 -0400 Subject: [PATCH 37/38] Adds ubuntu condition checks to evomaintenance role. Installs the evomaintenance package with a .deb for now. --- .../tasks/install_package_ubuntu.yml | 18 ++++++++++++++++++ evomaintenance/tasks/main.yml | 11 ++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 evomaintenance/tasks/install_package_ubuntu.yml diff --git a/evomaintenance/tasks/install_package_ubuntu.yml b/evomaintenance/tasks/install_package_ubuntu.yml new file mode 100644 index 00000000..5b6664fc --- /dev/null +++ b/evomaintenance/tasks/install_package_ubuntu.yml @@ -0,0 +1,18 @@ +--- + +- name: Package is installed + apt: + deb: 'http://pub.evolix.net/stretch/evomaintenance_0.2.9-1_all.deb' + tags: + - evomaintenance + +- name: Configuration is installed + template: + src: evomaintenance.j2 + dest: /etc/evomaintenance.cf + owner: root + group: root + mode: "0600" + force: "{{ evomaintenance_force_config | bool }}" + tags: + - evomaintenance diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 6d2cd26c..e9e22007 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -9,15 +9,20 @@ - evomaintenance_api_key is not none msg: evomaintenance api variables must be set +- include: install_package_ubuntu.yml + when: + - not evomaintenance_install_vendor + - ansible_distribution == "Ubuntu" + - include: install_package_debian.yml when: - not evomaintenance_install_vendor - - ansible_distribution == "Debian" + - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" - include: install_vendor_debian.yml when: - evomaintenance_install_vendor - - ansible_distribution == "Debian" + - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" - include: install_vendor_openbsd.yml when: @@ -25,4 +30,4 @@ - include: minifirewall.yml when: - - ansible_distribution == "Debian" + - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" -- 2.39.2 From c45ac8433471ba4b59e0e3e49fe516776313e750 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jul 2019 20:06:22 -0400 Subject: [PATCH 38/38] Adds a bunch of checks for ubuntu to evolinux-base and evolinux-users This feels a bit hacky, but it's the best I could come up with on short order --- evolinux-base/tasks/ssh.yml | 4 ++-- evolinux-base/tasks/system.yml | 4 ++-- evolinux-users/tasks/main.yml | 6 +++--- evolinux-users/tasks/ssh.yml | 4 ++-- evolinux-users/tasks/sudo.yml | 2 +- evolinux-users/tasks/user.yml | 18 ++++++++++-------- 6 files changed, 20 insertions(+), 18 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index c6b87cae..e6b31ccb 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -13,7 +13,7 @@ # We want to allow any user from a list of IP addresses to login with password, # but users of the "evolix" group can't login with password from other IP addresses -- name: "Security directives for Evolinux (Debian 10 or later)" +- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)" blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" @@ -27,7 +27,7 @@ notify: reload sshd when: - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version | version_compare('10', '>=') + - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) - name: Security directives for Evolinux (Jessie/Stretch) blockinfile: diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 502df7e9..d61f496c 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -125,7 +125,7 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" + - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu" - name: Enable alert5 init script (jessie/stretch) service: @@ -134,7 +134,7 @@ when: - evolinux_system_alert5_init - evolinux_system_alert5_enable - - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" + - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu" diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index e5872a91..a7230d15 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -3,9 +3,9 @@ - name: "System compatibility checks" assert: that: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '>=') - msg: only compatible with Debian >= 8 + - (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu") + - (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>=')) + msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04 - debug: msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 70570c63..f22fe0fd 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -28,9 +28,9 @@ - set_fact: # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", - ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}" + ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}" # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" - ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}" + ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}" - debug: var: ssh_allowgroups diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index a4b28d25..add7343e 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -4,6 +4,6 @@ when: ansible_lsb.codename == "jessie" - include: sudo_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') + when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) - meta: flush_handlers diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 96c70e31..9ded655e 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -59,31 +59,32 @@ ## Group for SSH authorizations -- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" +- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)" group: name: "{{ evolinux_ssh_group }}" state: present - when: ansible_distribution_major_version | version_compare('10', '>=') + when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) -- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_ssh_group }}" append: yes - when: ansible_distribution_major_version | version_compare('10', '>=') + when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) ## Optional group for all evolinux users -- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)" +- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)" group: name: "{{ evolinux_internal_group }}" state: present when: - evolinux_internal_group is defined - evolinux_internal_group != "" - - ansible_distribution_major_version | version_compare('9', '>=') + - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) -- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)" + +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_internal_group }}" @@ -91,7 +92,8 @@ when: - evolinux_internal_group is defined - evolinux_internal_group != "" - - ansible_distribution_major_version | version_compare('9', '>=') + - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) + ## Optional secondary groups, defined per user -- 2.39.2